‘Cutwail Botnet Is Back’

Cutwail botnet, popular with pet names like Pandex, Mutant, and Pushdo, appears to have taken a rebirth, according to M86 Security Labs researchers who have recorded a number of HTML emails in the last few weeks that are contaminated with malevolent JavaScript and most likely derived from Cutwail-infected systems.

According to news published on February 20, 2012 in GnT, Cutwail had its zenith five years back when it guided the botnet activity list with 1.6 million contaminated systems. Nevertheless, the botnet could not sustain its leading market position as spammers infringed the system and revealed credentials of clients and associates.

During January 23-25, the quantity of grimy posts was 50 times higher, and three more effects from February 6 were found to be 200 times elevated. The M86 Security Labs says that such mails contained topic lines like "FDIC Suspended Bank Account", and "Scan from Xerox WorkCentre", among others.

When the user downloads and looks at a malevolent HTML file, JavaScript mistakenly takes him to client-side utilizing URL division of the hacker's spiteful system, which presently relies on the Phoenix internet malicious software exploitation kit. The implanted JavaScript code aims at inserting malware into computer systems via a variety of security holes, for instance, older editions of Acrobat Reader.

In a few cases, the 'Cridex' data-stealing Trojan has been set up. The botnet makes use of the 'Phoenix Exploit Kit' that is flourishing in the black market and attains over 15% infection rates. Tests, carried out by M86, illustrate that exploit downloads and installs malware. Besides spam, it was utilized to carry out cyber attacks in 2010.

Conspicuously, security firm Symantec's MessageLabs expects that the Cutwail managers now run almost two million systems across the globe, making it the biggest botnet on the planet. Other main spam botnets talked about by MessageLabs are Asprox, Darkmailer, Rustock, Grum, Xarvester, Mega-D, Gheg, Donbot, and Beagle.

The top four spam classes, according to M86, are pharmaceutical (47%) replicas (13%), gambling and dating (12% each). These groups reveal the ease of use and magnetism of those different marketing associate programs which cybercriminals join to generate money.